AWS Organization Discovery needs to have the AWS Master Account to be associated with AssumeRole and Readonly Access, this article intended to explain the creating and associating the STS: Assume Role to the Master Account and creating Trusted Relationship with Member Account

Procedure on Master Account

  • Log in to the AWS console using the Root Credentials
  • Verify the AWS Organizations
  • The AWS Organization should be having a minimum of 1 Master Account and 1 Member Account 

The Master Account 

 The Master account must be having the below policies attached for the "Amazon AWS Organization" to identify.

  • DescribeOrganization
  • DescribeAccount
  • DescribeListAccounts

 If the above policy actions are not available on the  AWS Account, the account is treated as regular account but  not as the Master Account

Manually add the Policies to the Account 

  • Log in to the Account which would you like to make as master 
  • AWS Services >> IAM >> Policies >> Create Policy 

    • Services: Choose "Organization" and "Accounts"
    • Resources: Account, Handshake, OrganizationalUnit, Policy and mark them for Any
  • Review Policy
  • Provide a Policy name and Create the Policy
  • Attach the policy to the Account  

Verify if the Accounts are Master or Member Account 

  • AWS Services >> IAM >> Organization Activity  
  • The Root will be having a list of the Accounts and some are marked as Master 

Create User and Associate Policy on Master Account 

  • AWS Services >> IAM >> Users >> Create User (We can also use the Existing users)
  • While creating the user the Access Type check for "Programmatic Access"

Set Permissions to the user 

  • Choose "Attach Existing Policies"
  • Create Policy >> Choose the Below 
  • Service: STS 
  • Under STS >> Write >> Select the Assume Role 

Set the ARN at the Resources (Visual Editor)

  • Select Resource: Specific (Not All)
  • Click on "Add ARN"
  • The Page will open to add the ARN for 
  • Account: >>>> Provide the "Member Account ID"
  • Role name with path: >>>> Provide the "OrganizationAccountAccessRole"

Set the ARN at the Resources (JSON)

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<Member Account ID>:role/OrganizationAccountAccessRole"

Add Policy to the User

  • Add "ReadOnly" and the Newly created Policy to the User
  • Administrator Access not needed

Verify the Summary of the User  

  • Copy the User ARN which needed to be updated in 

Procedure on Member Account

Create a Role

  • AWS Services >> IAM >Roles 
  • Create a New Role >> Choose "Another AWS Account" and Provide the Master Account ID
  • Click Next 
  • Add Existing Policy to the Role that is "ReadOnly Access"
  • Click Next 
  • Tags are not Mandatory 
  • Give the Role name as "OrganizationAccountAccessRole"
  • Submit to create the Role 

Add Trusted Relationship 

  • AWS Services >> IAM >Roles 
  • Click on Newly created "OrganizationAccountAccessRole" 
  • The Permission tab will show "ReadOnly Access" 
  • Click on "Trusted RelationShip" >> Edit Trust Relationship >> Give the Master ARN 
  • The Master ARN can is available at the User Summary page  on the Master Account Console, refer the above "Verify the Summary of the User" Section
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<Master Account ID>:user/User"
      "Action": "sts:AssumeRole",
      "Condition": {}

Additional Information

Assume an AWS role for temporary Cloud Discovery credentials
Assuming member roles with an AWS API
AWS Organizations and Temporary Credentials
Discovery - Assume Role enhancements for AWS Organizations

Article Information

Last Updated:2020-08-11 08:56:36